Saturday, April 12, 2014

A Password Odyssey - Two Well Liked Password Managers

About the Contendahs

The Open Source program KeyPass is great for generating and securely storing all sorts of information (passwords, web addresses, SSH keys, ftp logins, even combo lock codes)

LastPassis a web service that securely stores your password information. It runs in the browser and there is no desktop app. There is also a mobile app if you pay the 'freemium'.

Both systems can use a master password for the repository. But Keypass has other options, and one is to use the windows logon credentials to open the database. Both systems are generally secure options.

Lastpass seems to be best for storing website credentials. Keypass is more general purpose and gives greater flexibility (maybe too much?), such as choosing your encryption algorithm. And I have used it as a place to store all sorts of access information, including combo lock codes, ftp logins, and encryption keys.

A great feature of Lastpass is to let it choose passwords for sites, and store them, so that you don't need to remember those passwords. It helpfully reminds you when a password is duplicated between sites, to make each site's password unique. This way you are not relying on your browser or operating system to store your web site passwords. For a little more money, you can get an App on your iPad or smartphone.

Keypass is more the free swiss army knife of password encryption. You need to move that encrypted password file around with you. Or save it in Dropbox and open it from wherever you are. (That feature is front and center in KeypassDroid.)

In the Heartbleed story, Mashable referenced Lastpass. And so I looked into using it as a place to save and update passwords. Looking for browser integration, I decided to give it a try. Converting from Keypass2 KDBX format was not straightforward.

Converting from Keepass2 to Lastpass

Lastpass suggests using a Keypass XML format export with the Lastpass import routine.
The XML import resulted in a series of notes with credentials stored in them,
instead of a list of sites and the username and password stored in the correct field.

The obvious thing to try is a CSV export.
Save the database as a CSV.
Edit the CSV to match the column format in Excel. (Yes you still need that!)

Unfortunately, my favorite Mac Keepass port; KyPass Companion did not allow CSV export,
so I had to fire up a PC to convert the data.

The next thing to note is that the import process un-checks entries without a URL. I always used Keepass as a reference, so I did not have a URL for each site. Without the URL, the browser integration piece is broken.

So, you really want to track down the URLs and enter them in your CSV file before importing the CSV. In any case you will want to decide whether to check the entries for sites that would otherwise not be imported during the process.

Running the import with an edited CSV

With a complete CSV, Lastpass complains about using Chrome during the import - so I had to open up Safari. Or install Firefox. Safari worked just fine.

Final Impressions

Both programs seem to be secure. Lastpass is only free in two ways: Free in the browser, and free as in beer. Keepass is open source, and so the source code is available for review (free as in freedom); and there is no cost unless you wish to pay for a specialized version such as KyPass Companion.

Given that the Heartbleed OpenSSL bug was available for review for two years before it was discovered - the freedom argument is even more of a philosophical one this week.

Keepass is definitely the winner when it comes to a convenient file based manager.

If you're OK with Dropbox, that is also a really handy way to sync Keepass files.

And I think it is better as a swiss army knife, to store items other than website login information.

Having used Lastpass for a few minutes - it really is easy to jump onto a website with browser integration. Having looked at how they claim encryption is done in Lastpass, seeing that the passwords are encrypted before they reach the server, that is another great feature. If the server is compromised, your passwords are still encrypted.

When changing passwords, however, the browser integration is annoying. Unfortunately the app does not overwrite (clear out) anything that was previously entered in these 'new password' fields when it inserts the new replacement password. But you can work around this by generating a new password. Then copy and paste your generated new password into the two 'new password' fields directly before updating.

Make sure the 'old' password is good. It's easy to get out of sync when generating a new password. You might want to copy down the old one before you make any updates. Particularly in a case where there is no easy password recovery option.

Parting Thought

I am not sure if I will be comfortable with a process where I never see the password itself. Generally I remember many dozens of passwords, so until now Keepass has really been a backup. What if Lastpass goes down?